I have been trying to implement the HTTP Event Collector, initially I setup Splunk Enterprise On-Premise on a Windows VM on Azure and tried to implement the HTTP Collector following the Splunk documentation below and although I could post locally I was unable to post from a remote location. I setup the appropriate security groups to allow 8088 and updated the firewall to allow 8088 but I couldn't post to the HEC remotely.
I then tried to use the AWS Marketplace Splunk Enterprise AMI Image thinking it might not have the same issue and tried to implement the HTTP Event Collector.
I have set up a test as per the documentation, enabling HEC and setting up a token and this is what I am experiencing.
If I post to the collector locally it works but if I try to post the same remotely (obviously with the correct IP rather than localhost) it doesn't work.
In AWS my NACL for the subnet currently allows all traffic and I have a security group attached to the instance that allows port 8000/8088 inbound. 8000 is working as I can get to the admin page and can telnet on port 8000 but I'm unable to telnet to port 8088 remotely (works locally)